Facebook already complies with many parts of the law ahead of its implementation in May, says Zuckerberg.

Facebook Inc Chief Executive Mark Zuckerberg said on Tuesday the social network had no immediate plans to apply a strict new European Union law on data privacy in its entirety to the rest of the world, as the company reels from a scandal over its handling of personal information of millions of its users.

Zuckerberg told Reuters in a phone interview that Facebook already complies with many parts of the law ahead of its implementation in May. He said the company wanted to extend privacy guarantees worldwide in spirit, but would make exceptions, which he declined to describe.

“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” said Zuckerberg. He did not elaborate.

His comments signal that U.S. Facebook users, many of them still angry over the company’s admission that political consultancy Cambridge Analytica got hold of Facebook data on 50 million members, may soon find themselves in a worse position than Europeans.

The European law, called the General Data Protection Regulation (GDPR), is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.

Apple Inc and some other tech firms have said they do plan to give people in the United States and elsewhere the same protections and rights that Europeans will gain.

Shares of Facebook closed up 0.5 percent on Tuesday at $156.11. They are down more than 15 percent since March 16, when the scandal broke over Cambridge Analytica.

Push for data privacy

Privacy advocacy groups have been urging Facebook and its Silicon Valley competitors such as Alphabet Inc’s Google to apply EU data laws worldwide, largely without success.

“We want Facebook and Google and all the other companies to immediately adopt in the United States and worldwide any new protections that they implement in Europe,” said Jeff Chester, executive director of the Center for Digital Democracy, an advocacy group in Washington.

Google and Facebook are the global leaders in internet ad revenue. Both based in California, they possess enormous amounts of data on billions of people.

Google has declined to comment on its plans.

Zuckerberg said many of the tools that are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.

“We think that this is a good opportunity to take that moment across the rest of the world,” he said. “The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”

When GDPR takes effect on May 25, people in EU countries will gain the right to transfer their data to other social networks, for example. Facebook and its competitors will also need to be much more specific about how they plan to use people’s data, and they will need to get explicit consent.

GDPR is likely to hurt profit at Facebook because it could reduce the value of ads if the company cannot use personal information as freely and the added expense of hiring lawyers to ensure compliance with the new law.

Failure to comply with the law carries a maximum penalty of up to 4 percent of annual revenue.

It should not be difficult for companies to extend EU practices and policies elsewhere because they already have systems in place, said Nicole Ozer, director of technology and civil liberties at the American Civil Liberties Union of California.

Companies’ promises are less reassuring than laws, she said: “If user privacy is going to be properly protected, the law has to require it.”